Making sense of The Local Vocal
Every alert is tagged with a risk level, one or more threat types, and where you'd encounter it. Here's what each label means.
Risk levels
A serious, active threat. It's likely you'll come across it, and it can cause significant harm — financial loss, a data breach, or a hijacked account. Treat it as urgent and act now.
A real threat that's circulating and could catch people out, with meaningful disruption or loss if it succeeds. Stay alert and make sure your team knows about it.
Worth knowing about, but either unlikely to reach you or limited in impact if it does. Good background awareness rather than an immediate worry.
Risk reflects a blend of how likely you are to encounter something and how much harm it could do — our team sets it for every alert.
Threat Type — the harm
What the attack is ultimately trying to do to you. The Local Vocal uses twelve curated categories.
- Account Takeover
- An attacker gains control of a legitimate account — email, Microsoft 365, banking or SaaS — then uses that access to steal data, move funds or launch further attacks from inside.
- Adware
- Software (often bundled with free downloads or delivered via malvertising) that forces unwanted ads, hijacks browser search or tracks your browsing habits. Rarely destructive on its own, but a strong signal the device has been compromised.
- Data Breach
- Unauthorised access to or disclosure of confidential information — customer records, credentials, financial data or intellectual property. Often the end goal of an account takeover, ransomware attack or supply-chain intrusion.
- Denial of Service
- An attack designed to overwhelm a website, network or service so legitimate users can't access it (DoS / DDoS). Frequently used as extortion leverage — or as a smokescreen while another attack runs in the background.
- Email Compromise
- The attacker either impersonates or has taken over an internal mailbox and uses it to redirect payments, change invoice details, or extract sensitive information from colleagues and suppliers.
- Malicious Link
- A URL crafted to steal credentials, harvest data, or silently install harmful software when a target clicks it — typically embedded in a phishing message, SMS or ad.
- Malware
- Umbrella term for any malicious software — trojans, worms, viruses, keyloggers, remote-access tools, botnet clients. Can be delivered by any vector (email attachment, USB, drive-by download, supply-chain update).
- Phishing
- Fraudulent messages that trick you into revealing passwords, card details or other information by pretending to come from someone you trust (bank, IRD, Microsoft, colleague).
- Scam/Fraud
- Deception designed to trick you out of money, goods or services — invoice fraud, fake refunds, tech-support scams, romance/investment schemes and similar.
- Social Engineering
- Manipulation of people — through urgency, authority, sympathy or trust — into acting against their own interest (approving an MFA prompt, sharing a code, transferring funds).
- Spyware
- Malware that silently monitors what you do — keystrokes, screen contents, camera/microphone, browser sessions — and exfiltrates it to the attacker. Common tool for stealing banking credentials and live MFA codes.
- Ransomware
- Malware that encrypts your files and demands payment for the decryption key. Modern variants also steal data first and threaten to publish it (double-extortion) whether you pay or not.
Encountered Via — where you'd meet it
The channel a reader would first encounter this threat. One of nine taxonomies.
- The threat first reaches you in your inbox — a message, link or attachment designed to trick, infect or defraud you.
- Social Media
- The threat first surfaces on a social platform (Facebook, Instagram, LinkedIn, TikTok) — usually as a fake ad, sponsored post, impersonated brand page or a DM from a compromised contact.
- Sign-ins
- The threat targets your login screens directly — automated password-guessing, credential stuffing, MFA-fatigue prompts or infrastructure probing against Microsoft 365 / Google Workspace / VPN portals.
- Website / Web search
- The threat is discovered by browsing or via a search engine — a poisoned result, malicious ad, fake support number, or a look-alike company page that ranks alongside the legitimate one.
- SMS / Text
- The threat arrives by text message — a fake courier notice, bank alert, IRD refund or MFA prompt that links to a scam page (sometimes called "smishing").
- Phone call
- Voice-based social engineering — tech-support scams, spoofed bank fraud calls, IRD impersonation, or robocalls that pressure you into paying or handing over codes.
- Application
- A software vulnerability being actively exploited in a product your business uses — anchored by a specific CVE (Common Vulnerabilities and Exposures) identifier so you can look up and patch it.
- Supply chain
- Attackers reach you through a trusted upstream vendor or software update pipeline. You're not the direct target — a supplier is — but the compromise flows downstream to your systems.
- Removeable media
- Malware carried on USB sticks, SD cards or external drives — the classic "lost USB in the carpark" or infected vendor drive. Bypasses email and web defences entirely.
Reading a threat card — the technical detail
Some alerts include structured evidence. Here's what each of those panels means.
Email authentication (SPF / DKIM / DMARC / COMPAUTH)
- SPF (Sender Policy Framework)
- Checks whether the email came from a server the domain owner authorised to send on their behalf. A Fail means the sender isn't on the approved list — a strong sign of spoofing.
- DKIM (DomainKeys Identified Mail)
- A cryptographic signature proving the message really came from the claimed domain and wasn't tampered with in transit. A Fail means the signature is missing or invalid.
- DMARC (Domain-based Message Authentication)
- Ties SPF and DKIM together and tells the receiving server what to do when a message fails — reject or quarantine it. A Fail means the message didn't meet the domain's own policy.
- COMPAUTH (Composite Authentication)
- Microsoft 365's overall verdict, combining SPF, DKIM, DMARC and its own signals. A Fail is Microsoft's summary judgement that the sender couldn't be trusted.
Domain checks
- Sender / From domain
- The domain the message claims to come from. Attackers often use look-alike domains (e.g. ird-refunds.co instead of ird.govt.nz).
- Reply-To domain
- Where a reply is actually sent. If it differs from the From domain, replies can be quietly routed to the attacker's inbox.
- Newly registered domain
- A domain created very recently (within ~90 days). Legitimate businesses rarely email you from a brand-new domain — scammers register throwaway ones constantly.
Domain / IP reputation
- Abuse score
- A 0–100 rating of how often an IP address has been reported for malicious activity (from sources like AbuseIPDB). 0–24 is low, 25–74 is elevated, and 75–100 means the address is a known, heavily-reported source of attacks.
- ISP (Internet Service Provider)
- The network that carried the traffic — Cloudflare, Spark NZ, Linode, etc. Identifying the ISP tells you whether the attack came from consumer broadband, a data-centre, a mobile carrier, or a bulletproof host.
- ISP function
- What the ISP does — Hosting provider, Residential broadband, Carrier-grade NAT, VOIP wholesale. This context matters: a hosting provider IP acting as a mail sender is far more suspicious than the same IP from a residential connection.
- ISP reputation
- A qualitative assessment of the ISP's history — clean, mixed, historically high abuse, or bulletproof host (a provider that deliberately ignores abuse complaints). When we don't have a confident signal, this field reads "Reputation Unknown".
Targeted app
- Targeted app
- The specific service the attackers are trying to break into — for example Microsoft 365, Outlook Web or a banking portal. Knowing the target tells you exactly where to tighten protection (e.g. enforce MFA on that service).
Sign-in attacks & mitigations
- Sign-in attack
- Repeated attempts to log into your accounts. We classify the pattern and recommend the most effective way to shut it down.
- Attack profile
- The key facts about the attempts — the auth method used, the main reason logins failed, how many attempts there were, and how many accounts were targeted.
- Recommended mitigations
- The specific policy changes (like enforcing MFA number-matching, blocking legacy protocols, or tightening Conditional Access) that best neutralise the pattern we detected.
Where our information comes from
Every alert is grounded in first-hand data from the systems we manage, cross-checked against trusted New Zealand and international security sources.
First-hand data from the networks, mailboxes and devices we manage across Otago — the earliest signal of what's actually hitting local businesses.
New Zealand's government cyber-incident reporting service — advisories, threat reports and quarterly scam trends.
NZ government technical advisories on serious vulnerabilities and nationally significant threats.
New Zealand's independent online-safety organisation — scam and harm reports affecting Kiwis.
MBIE's register of scams currently circulating in New Zealand.
Official list of current tax-refund and IRD impersonation scams.
Microsoft 365, Windows and Azure vulnerability disclosures and security updates.
Widely-followed advisories on actively-exploited vulnerabilities and global threat campaigns.
Alerts and advisories from across the Tasman — often the same campaigns reach NZ soon after.
Community-reported database of malicious IP addresses — the basis for the abuse score shown on some alerts.
Record of known data breaches — used to gauge whether credentials in an attack are likely leaked.

